Lucas_Werkmeister_WMDE added a comment.
> **General Security Issues** > > 1. `njsscan` did find some potential issues with vue's `v-html` attribute. I'd guess most of these are false positives given that they render messages which shouldn't be vulnerable as they are used within the TypeScript app and likely secure content-rendering functions (`title`, `getBodyMessage`, `referenceHTML` et al). Still posting the results here (P11942) for review and confirmation with a probable **Risk: {icon check-circle color=green} low**. I looked at these earlier and thought they all looked like false positives, but I seem to have lost access to the paste now for some reason, so I can’t say for sure. But looking through v-html codesearch results <https://codesearch.wmcloud.org/search/?q=v-html&files=%5C.vue%24&repos=Extension:Wikibase>: - All instances of `v-html="$messages.get( … )"` should be safe. `$messages.get()` is a wrapper around mw.message().parse() <https://www.mediawiki.org/wiki/Manual:Messages_API#Using_messages_in_JavaScript>, where `mediawiki.jqueryMsg` (which our app module depends on <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/includes/DataBridge/DataBridgeResourceLoaderModules.php#89>) will escape HTML. (See also T115888.) - `<span v-html="title" />` in AppHeader.vue <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/AppHeader.vue> should be safe. `title` is a getter wrapping `$messages.get()`, see above. - `v-html="messageHeader"` and `v-html="messageBody"` in ErrorPermissionInfo.vue <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/ErrorPermissionInfo.vue> should be safe. `messageHeader` and `messageBody` are properties of the component; `ErrorPermission.vue` fills them with its `getMessageHeader()` and `getMessageBody()` methods, respectively, which both wrap `$messages.get()`, see above. - `v-html="getBodyMessage"` in License.vue <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/License.vue> should be safe. `getBodyMessage` is a getter wrapping, you guessed it, `$messages.get()`. - `v-html="referenceHTML"` in ReferenceSection.vue <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/ReferenceSection.vue> should be safe. `referenceHTML` comes from the `renderedTargetReferences` array in the app state, which is populated in the renderReferences action <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/store/actions.ts#120> using the ApiRenderReferencesRepository <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/data-access/ApiRenderReferencesRepository.ts>, which gets the HTML from the wbformatreference API <https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/includes/Api/ApiFormatReference.php>, where the HTML ultimately comes from a `Parser` based on wikitext input. - `v-html="message"` in ReportIssue.vue <https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/dd9f855b35e56813750ad9f43280ce04059ac583/client/data-bridge/src/presentation/components/ReportIssue.vue> should be safe. `message` is a getter wrapping `$.messages.get()`. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett, Lucas_Werkmeister_WMDE Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs